facebook-pixel

Phishing Attacks in Singapore: How to Recognize and Avoid Them in 2026

L
Lunyb Security Team
··9 min read

Phishing attacks in Singapore have reached record levels, with the Singapore Police Force reporting hundreds of millions of dollars lost to scams every year — a significant portion involving phishing links, spoofed government websites, and fake bank SMS messages. Whether you're a working professional in the CBD, a small business owner in Jurong, or a student using SingPass for the first time, understanding how phishing works is no longer optional. It's a core digital literacy skill.

This guide breaks down the phishing landscape in Singapore, the specific tactics targeting locals, and the practical steps you can take to protect yourself, your family, and your organisation.

What Is Phishing? A Quick Definition

Phishing is a form of social engineering where attackers impersonate a trusted entity — a bank, government agency, delivery service, or colleague — to trick victims into revealing sensitive information or clicking malicious links. The goal is almost always financial: stealing login credentials, one-time passwords (OTPs), credit card details, or SingPass access.

Modern phishing goes far beyond dodgy emails from a "Nigerian prince." In Singapore today, attacks are sophisticated, localised, and often indistinguishable from legitimate communications at first glance.

Why Singapore Is a High-Value Target

  • High digital adoption: Nearly universal smartphone and banking app usage.
  • Wealth concentration: One of the highest per-capita incomes in Asia.
  • Trust in institutions: Singaporeans generally trust official-looking government and bank messages, which scammers exploit.
  • Multilingual population: Attackers craft messages in English, Mandarin, Malay, and Tamil to widen their net.

Common Types of Phishing Attacks in Singapore

Phishing isn't one single attack — it's a family of techniques. Here are the variants Singaporeans encounter most often.

1. SMS Phishing (Smishing)

Fake SMS messages pretending to be from DBS, OCBC, UOB, POSB, or Singpost. Common themes include "suspicious transaction detected," "parcel delivery failed," or "IRAS tax refund pending." The message contains a shortened link leading to a spoofed login page.

2. Email Phishing

Emails impersonating Microsoft 365, Google Workspace, LinkedIn, or local brands like Shopee, Lazada, and Grab. Business email compromise (BEC) also targets SMEs, with attackers impersonating the CEO or a supplier to redirect invoice payments.

3. Voice Phishing (Vishing)

Callers pretending to be from the Singapore Police Force, ICA, MOH, or a bank's fraud department. They pressure victims to transfer money to a "safe account" or install remote-access apps like AnyDesk.

4. QR Code Phishing (Quishing)

Fake QR codes stuck on hawker stalls, parking meters, or sent via messaging apps. Scanning leads to a phishing site that mimics PayNow, PayLah!, or SingPass.

5. Spear Phishing

Highly targeted attacks against specific individuals — usually executives, finance staff, or IT admins. The attacker researches the target on LinkedIn and crafts a personalised message.

Real Phishing Red Flags to Watch For

Even the best-crafted phishing attempt usually contains at least one warning sign. Train yourself to spot them.

  1. Urgency and fear: "Your account will be suspended in 24 hours."
  2. Unusual sender addresses: Emails from dbs-security@gmail.com instead of an official @dbs.com.sg domain.
  3. Suspicious links: URLs like dbs.com.sg.login-secure.info — the real domain is the part right before the final .com/.sg.
  4. Requests for OTPs or passwords: No legitimate bank or agency will ever ask for these.
  5. Generic greetings: "Dear Valued Customer" instead of your actual name.
  6. Poor grammar or odd phrasing: Especially in Mandarin or Malay messages, translation errors are common.
  7. Unexpected attachments: Especially .zip, .html, or .pdf files from unknown senders.

Anatomy of a Typical Singapore Phishing Scam

Understanding the full attack lifecycle helps you spot phishing earlier in the chain.

StageWhat the Scammer DoesWhat You See
1. BaitSends SMS/email/WhatsApp with a hook"Your DBS account has been locked"
2. LureProvides a shortened or spoofed linkbit.ly/dbs-verify or dbs-sg[.]net
3. HookFake login page collects credentialsConvincing DBS iBanking clone
4. EscalateRequests OTP or 2FA code"Enter the SMS code to verify"
5. Cash OutTransfers funds to money-mule accountsUnauthorised PayNow or overseas transfer

How to Verify a Suspicious Link Safely

Before clicking any link — especially a shortened one — take a few seconds to verify it. Trustworthy link management platforms such as Lunyb provide transparent link previews and analytics so recipients can see where a shortened link truly leads before clicking, which is especially useful for businesses sending marketing or transactional links. If you'd like an independent perspective on the service, see our honest Lunyb review.

Practical Steps to Check a Link

  1. Long-press (mobile) or hover (desktop) over the link to preview the full URL.
  2. Use a link-expander tool to reveal where a shortened URL points.
  3. Check the domain carefully. Look at the part immediately before .com, .sg, or .gov.sg.
  4. Never log in via a link. Instead, open your banking app or type the URL manually.
  5. Look for HTTPS — but don't rely on it alone. Many phishing sites now have valid SSL certificates.

Sector-Specific Phishing Trends in Singapore

Banking and Finance

The most heavily targeted sector. MAS and the Association of Banks in Singapore (ABS) have rolled out the Shared Responsibility Framework (SRF), making banks liable for certain phishing losses — but only if the customer wasn't grossly negligent. Local banks have also removed clickable links from SMS notifications entirely.

Government Services

Scams impersonating SingPass, IRAS, MOH, ICA, and MOM are rampant. Genuine .gov.sg agencies will never SMS you a link asking for personal data. If in doubt, log into the official app directly.

E-Commerce and Delivery

"Parcel delivery failed" scams impersonating Singpost, Ninja Van, and J&T Express spike during festive shopping periods like 11.11, Black Friday, and Chinese New Year.

Small and Medium Businesses

SMEs face invoice fraud, fake supplier emails, and CEO impersonation. A single successful BEC attack can drain tens of thousands of dollars.

How to Protect Yourself: Personal Defences

1. Enable Strong Authentication Everywhere

Use SingPass Face Verification and app-based 2FA (not SMS OTP where possible). For banks, enable the money-lock feature that prevents online transfers from a portion of your savings.

2. Keep Devices Updated

Install iOS, Android, and browser updates promptly. Many phishing kits rely on outdated browsers to deliver drive-by malware.

3. Use the ScamShield App

Developed by the National Crime Prevention Council, ScamShield blocks known scam calls and SMS messages. It should be installed on every Singaporean's phone.

4. Practise the "Pause, Check, Confirm" Habit

Before acting on any urgent message, pause for 60 seconds. Verify by calling the organisation directly using a number from their official website — not the one in the message.

5. Strengthen Network-Level Privacy

Enable encrypted DNS (DNS over HTTPS) in your browser and router. This blocks many phishing domains before they even load. Consider a privacy-focused browser like Brave or Firefox with strict tracking protection enabled.

How Businesses Can Defend Against Phishing

Defence LayerTools / ActionsPriority
Email SecuritySPF, DKIM, DMARC (enforce reject), advanced threat protectionCritical
User TrainingQuarterly simulated phishing exercisesHigh
Endpoint ProtectionEDR software, disk encryption, patch managementHigh
Access ControlHardware security keys (FIDO2), least-privilege accessCritical
Link ManagementBranded, monitored short links with analyticsMedium
Incident ResponseDocumented playbook, 24/7 reporting channelHigh

Branded Short Links Build Trust

Customers are increasingly wary of unfamiliar link shorteners. Using a branded domain — through services like Lunyb or Rebrandly — signals authenticity. If you're comparing options, our 2026 URL shortener buyer's guide and Rebrandly review break down the trade-offs.

What to Do If You've Been Phished

Speed matters. The first hour after a successful phishing attack is critical.

  1. Call your bank immediately using the hotline on the back of your card. Most Singapore banks now offer a 24/7 anti-scam kill switch.
  2. Freeze affected accounts via your banking app or SingPass.
  3. Change passwords for the compromised account and any account sharing that password.
  4. Revoke active sessions and any suspicious linked apps or devices.
  5. Lodge a police report at any Neighbourhood Police Centre or via the e-service. This is required for insurance and bank reimbursement claims.
  6. Report to ScamShield and forward the phishing SMS to 9SPF-SPF (97972777).
  7. Notify PDPC if personal data of others was exposed (for businesses).

Emerging Phishing Threats in 2026

Attackers keep evolving. Here's what Singapore's cybersecurity community is watching closely this year.

AI-Generated Phishing

Large language models produce grammatically perfect phishing messages in any language, eliminating the classic "broken English" red flag. Voice cloning enables scam calls that sound exactly like a loved one or your boss.

Deepfake Video Calls

Fraudsters have used deepfaked Zoom calls to impersonate CFOs and authorise multimillion-dollar transfers. Always verify large financial requests via a second channel.

MFA Fatigue Attacks

Attackers spam victims with 2FA push notifications until they approve one out of frustration. Switch to number-matching or hardware key methods.

Malicious Browser Extensions

Fake extensions in the Chrome Web Store steal session cookies, bypassing 2FA entirely. Audit your installed extensions monthly.

Frequently Asked Questions

How do I report a phishing attack in Singapore?

Report phishing SMS to ScamShield or forward to 97972777. File a police report at police.gov.sg or any Neighbourhood Police Centre. For financial losses, call your bank's 24/7 fraud hotline immediately and contact the Anti-Scam Helpline at 1800-722-6688.

Will my bank refund me if I fall for a phishing scam?

Under the Shared Responsibility Framework, banks may bear part of the loss if they failed key duties (like sending unsolicited SMS with links). However, if you willingly provided your OTP or credentials, you may only receive partial or no reimbursement. Report the incident within 24 hours to maximise your chances.

Are shortened URLs always dangerous?

No. Shortened URLs are widely used by legitimate businesses for tracking and readability. The risk depends on the sender and the platform. Reputable services provide link previews, analytics, and abuse monitoring. Always preview a shortened link before clicking, especially if it arrived unexpectedly.

Can antivirus software stop phishing?

Antivirus and browser-based safe-browsing filters catch many known phishing domains, but new sites appear daily and often evade detection for hours. Technical tools should be layered with user awareness — the human is still the strongest and weakest link.

What's the difference between phishing and spear phishing?

Phishing is a broad, untargeted campaign sent to thousands of victims. Spear phishing is customised for one specific person or organisation, using research from LinkedIn, company websites, or previous data leaks. Spear phishing has a much higher success rate and is the preferred method for attacking businesses.

Final Thoughts

Phishing attacks in Singapore will continue to grow more sophisticated, but the fundamentals of defence remain the same: verify before you trust, never share OTPs, keep systems updated, and slow down when a message feels urgent. Individuals should install ScamShield and enable money-lock features. Businesses should invest in DMARC, security training, and branded link management to protect their customers and reputation.

Cybersecurity in Singapore is a shared responsibility between individuals, businesses, banks, and the government. By staying informed and building good digital habits, you significantly reduce your risk of becoming the next victim.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles